Anne van Kesteren wrote: > > tlr has some doubts whether the distinction between <form> POST and > Access Control POST is sufficient enough to give Access Control POST a > preflight OPTIONS as it might led authors to think that they are > protected against cross-site POST requests while in reality, if they > don't do careful checking of the Content-Type header or require some > kind of magic string previously obtained using a normal GET request, > they are not. > > We earlier decided to let authors perform the additional check and > require the preflight OPTIONS so I'll leave the specification as is > unless people start changing their minds... The specific attack I was worried about was SOAP service providers. These work by accepting XML data through POSTs and and can perform potentially dangerous operations. While it is currently possible to use <form>s to send POST requests to such servers, it is not possible to send them using a proper XML content type. Hopefully servers will not successfully parse the data without a proper content type. / JonasReceived on Thursday, 17 January 2008 08:31:44 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 17 January 2008 08:31:45 GMT